It appears that one can't specify localhost as an app callback for OAuth. I understand why oauth_callback arg might be a security hole, but I'm talking about just in the application settings.

I'd like to do this for local development. It's easier than setting a host in /etc/hosts and using that as a fake one, because my developers have to do the same (if they don't have root).

One work around is just setting up something that's a public DNS that points to 127.0.0.1 which accomplishes more or less the same thing, but this is rather annoying.

We validate the callback url and since the host portion "localhost" lacks a TLD it is rejected. We discussed both this and IP addresses when originally adding that validation and left it out. Let me record some of the thinking for posterity.

The main reason for not allowing localhost or IP address was the worry of leaking this value to unsuspecting end users. We encouraged the use of the oauth_callback parameter to work around that but it had to be removed for security reasons. The oauth_callback parameter is expected back soon and was planned to once again provide a work around that allows for localhost.

In the mean time we have found that all localhost redirecting is denied by Opera [1], even when using the /etc/hosts method, due to a security concern. The comment from Opera is:

"… this type access and redirects can be used to attack servers that are not otherwise available to the public network, and which as a result may have reduced defences against attacks (after all, 'they are behind the firewall')." [1]

This is a good point and we want to evaluate it a bit more before we relax our validation rules. The current thinking is that since we're not a browser that sort of restriction seem out of place. We will in all likely hood not follow with that restriction and will instead allow the localhost/IP callback mechanism either via relaxed callback validation or via the oauth_callback parameter. Please mark this issue with a star (next to the title) if you are interested in updates.

[1] - http://my.opera.com/community/forums/topic.dml?id=274299

To add a custom hostname to localhost on OSX do the following:

sudo vim /etc/hosts

At the bottom add:

domain.tld 127.0.0.1

Visiting domain.tld in your browser should now resolve you localhost

Custom host names are allowed using the oauth_callback that was re-added with the OAuth 1.0a support. Checkout http://mojodna.net/2009/05/20/an-idiots-guide-to-oauth-10a.html for general info on using it or our announcement at http://groups.google.com/group/twitter-development- talk/browse_frm/thread/472500cfe9e7cdb9#

For port forwarding as well... http://bit.ly/FZWVY